BLUE User Guide
Click here to see this page in full context
  1. Home >
  2. Transfer >
  3. Transferring a Project over Ethernet with IPsec

Transferring a Project over Ethernet with IPsec

This product supports IPsec encrypted transfer via Ethernet to prevent unauthorized access.

Note:

  • Ethernet transferring with IPsec is not available for a display unit connected to Pro-face Connect. Transfer the project without IPsec. Transferring is encrypted by Pro-face Connect.
    Transferring a Project over Ethernet
  • The models listed below support IPsec. For all other models, use Ethernet transfer.
    ST6000 Seires
    ST6000 2nd Gen Series
    STM6000 Series
    SP5000 Series
    SP5000X Series
    GP-4100 Series
    Transferring a Project over Ethernet
  • Other than for transfer, IPsec cannot be used for TCP communication between a PC and display unit. Even during Ethernet transferring with IPsec, other TCP communication between PC and display unit is not available.

Introduction to IPsec

The Internet Engineering Task Force (IETF) developed and designed Internet Protocol Security (IPsec) as an open set of protocol standards that make IP communication sessions private and secure. The IPsec authentication and encryption algorithms require user-defined cryptographic keys that process the communication packets in an IPsec session.

Setting Workflow

Perform the following steps to use IPsec encryption for Ethernet transfer.

  1. Update Runtime Version
  2. Configure IPsec on the PC
  3. Configure IPsec on the Display Unit
  4. Transfer Project File

Update Runtime Version

If the runtime version is before 3.1.100.***, use any transfer method other than IPsec Transfer to update the runtime to version 3.1.100.*** or later. When the project is transferred with screen editing software version 3.1 Service Pack 1 or later, the runtime version will be updated.

Transferring a Project over Ethernet

Transferring a Project over an USB Cable

Transferring a Project with the File System

Note:

  • This step is necessary only when the runtime version is before version 3.1.100.***. Check your runtime version Hardware Configuration screen.
    About Hardware Configuration

Configure IPsec on the PC

The following describes how to enable IPsec on your PC.

Note: Before configuring IPsec, enable Windows Defender Firewall. Administrator rights are required to configure the firewall. For more information, refer to Windows help.

  1. On your keyboard, Press [Windows logo] key + [R] key.
  2. Type wf.msc and click [OK].
  3. Right-click [Windows Defender Firewall with Advanced Security on Local Computer], and select [Properties].
  4. From the [IPsec Settings] tab, click [Customize].
  5. In the [Key exchange (Main Mode)] field, select the [Advanced] option and click [Customize].
  6. Click [Add].
  7. Select the following and click [OK].

    [Integrity algorithm]

    [SHA-256]

    [Encryption algorithm]

    [AES-CBC 128]

    [Key exchange algorithm]

    [Diffie-Hellman Group 14]
  8. Select the added item, and click the icon to move the item to the top of the list.
  9. Click [OK].
  10. From the [Data protection (Quick Mode)] field, select the [Advanced] option and click [Customize].
  11. Select the [Require encryption for all connection security rules to protect network traffic] check box, and move the following item to top of the item to the top of the [Data integrity and encryption] list, as shown below.

    Note: If the highlighted item is not in the list, add the item by clicking [Add].


    [Protocol]

    [ESP]

    [Integrity]

    [SHA-1]

    [Encryption]

    [AES-CBC 128]

    [Key Lifetime(minutes/KB)]

    [60/100.000]

  12. Click [OK].

  13. Right-click [Connection Security Rules], and click [New Rule].
  14. Select [Custom] and click [Next].
  15. For [Endpoint 1], select the [Any IP address].
  16. For [Endpoint 2], select the [These IP addresses] option and add the IP address of the display unit.
  17. Click [Next].
  18. Select [Require authentication for inbound and outbound connections] and click [Next].
  19. Select the [Advanced] option and click [Customize].
  20. From the [First authentication] area, click [Add].
  21. Select the [Preshared key (not recommended)] option and type the preshared key.

    Note: The preshared key must be 16 characters with at least 1 lower case character, 1 upper case character, one number, and 1 special character ( ~ ! @ $ % ^ & * _ + - = ` \ ( ) [ ] : “ ‘ < > { } # ;).

  22. Click [OK].
  23. Click [Next].
  24. From [Protocol type], select [TCP].
  25. Set up [Endpoint 2 port].

    When Using SP5000 Series Open Box (Windows 10 IoT Enterprise Model), or ST6000 2nd Gen Series

    Select [Specific Ports] and type 3320,3321,8050.

    When Using SP5000 Series Power Box, SP5000X Series, GP-4100 Series, ST6000 Series, or STM6000 Series

    Select [All Ports].
  26. Click [Next].
  27. Select the network profile for transfer operation, and click [Next].
  28. Type the [Name], and click [Finish].
  29. Confirm the rule is added in [Connection Security Rules] and that [Yes] is displayed in the [Enabled] column.

    Note: After transferring the project file, right-click the rule and click [Disable Rule] to disable IPsec. When IPsec is still enabled after transfer, TCP communication between the PC and display unit will not work.

 

 

Configure IPsec on the Display Unit

When Using SP5000 Series Open Box (Windows 10 IoT Enterprise Model)

On the display unit, configure the Windows Firewall to use IPsec.

Configuring IPsec on the PC

Note:

  • Use the same preshared key as set up on the PC.
  • IP address settings are the same as on the PC.
    [Endpoint 1] [Any IP address]
    [Endpoint 2]

    Select [These IP addresses:] and add IP address of the display unit.
  • Port settings are the same as on the PC.

    [Endpoint 2 port:]

    Select [Specific Ports] and type 3320,3321,8050.

 

When Using SP5000 Series Power Box, SP5000X Series, GP-4100 Series, ST6000 Series, ST6000 2nd Gen Series, or STM6000 Series

Open the Hardware Configuration screen and set the preshared key.

  1. Open the Hardware Configuration screen.
    About Hardware Configuration
  2. Touch the button to the right of the [IPsec] field.
  3. In [IPsec], touch the [Enable] button.

    Note: When using ST6000 2nd Gen Series, the system reboots after [IPsec] is enabled. Open the Hardware Configuration screen and touch the button to the right of the [IPsec] field again.

  4. Enter the preshared key.

    Note: Use the same preshared key as set up on the PC.

  5. Touch [Save and Reboot]. The changes are saved and the run-time application restarts.

Transfer Project File

To run Ethernet transfer, operations are required on both the PC (screen editing software) and Display Unit (Hardware Configuration screen). Because the Ethernet port on the display unit is normally closed, as part of the transfer process, you need to open the port in the Hardware Configuration screen (see step 8 in the table below).

Important:

  • To communicate using Ethernet, the IP address of Ethernet settings must be set up on the display unit.

  • The display unit system uses Ethernet port number 3320-3321 and 8050-8051. Do not close these ports in firewall settings.

  • To prevent tampering with the project file on the display unit, enable user authentication for project file transfer operations. For the setup procedure, see the table below.
    Please take precautions as transfer will not be possible if you forget the user name or password.

Note:

  • Check if the configured Ethernet ports are available on the display unit.
  • Your PC or network card may not support a direct connection with the display unit using an Ethernet cable. If communication is not possible, try the following:

  • You cannot transfer the project during simulation.

  • When the screen editing software and the runtime application reside on the same PC, set [127.0.0.1] to Target's property [Transfer Method] - [IP Address].

To transfer a project:

 

PC (Screen Editing Software)

Display Unit (Hardware Configuration screen)

1

 Connect the PC (installed with the screen editing software) and the display unit to the Ethernet network.

2

Turn on the display unit.

(When Using SP5000 Series Open Box (Windows 10 IoT Enterprise Model))

From the Program menu, click [BLUE Runtime] > [BLUE Runtime (Run as Administrator)].

Note: If you cannot select [Run as administrator], please contact your system administrator.

3

Start the screen editing software and open the project you want to transfer.

4

In the Project Explorer window, from [System Architecture] click [Target01].

Note: Make sure the display unit you are transferring to is the same display unit type as defined in the screen editing software.

5

In the Properties window, go to [Function] tab ➞ [Basic] tab and in [Type] confirm the [Transfer Method] is [Ethernet].

Set the IP address to which the project files are to be transferred.

6

From the [Security Setting] select [Enable] and in the [Security Level] field set the security level required to perform transfer operations.

Note:

  • In the [Security Setting] if [Disable] is selected, the project file is transferred without user authentication.
  • When [Enable] is not selected in [Settings] Properties window, project file is transferred without authentication.
    (To open [Settings] Properties window, in Project Explorer window, go to [Security] and click [Settings].)
  • If there is no user group or user that satisfies the [Security Level], the project file cannot be transferred. For creating user groups and users, see the following.
    Steps to Design (Security)
 

7

Open the Hardware Configuration screen. Hardware Configuration

8

From [Ethernet Download], touch the [Enable] button.

➞ The standby screen will display. Display unit operations are not possible while the standby screen is displayed.

9

On the Application toolbar, click the icon.

Note: If the product is not licensed, then the icon is greyed out and you cannot transfer the project.

10

The Download Manager dialog box displays the transfer status.

You will be prompted for a [User name] and [Password]. Enter the user name and password for a user that satisfies the required security level and click [OK].

Important: Do not turn OFF the PC or the display unit, nor disconnect the transfer cable during transfer (PC to Display Unit). This can cause an error when the display unit is started.

Note:

  • Before the Download Manager dialog box is displayed, a dialog box showing the validation and file generation progress is displayed. Additionally, depending on the size of the project, it may take some time before the Download Manager dialog box appears.
  • The Download Manager dialog box displays the Keep and Overwrite/Clear runtime data options depending on the settings of User Information, Ethernet Settings, Local Storage, Alarm, Logging and Operation Logs.
    For more information, refer to the following.
    Keep Runtime Data after Transferring
  • It may take some time to transfer very large project files.

11

After transfer is complete, close the Download Manager dialog box.

After the project is transferred successfully, the display unit restarts and runs the transferred project.

Note: When transferring to a GP-4100 Series unit that has a system from version 3.0 or earlier, after a message box displays to indicate the transfer is complete the GP-4100 Series unit may not restart even after several minutes elapse.

As the transfer operation is complete, you can restart the GP-4100 Series unit by pulling out and reinserting the power cable.

Always Allow Ethernet Transfer

Set up the following when you have to transfer frequently, such as when debugging the application, so you can avoid having to enter Hardware Configuration and enable Ethernet download every time.

Important:

The configuration below is not recommended. When using this configuration, the display unit always accepts Ethernet transfers, which increases the security risk.

  1. In the Project Explorer window, from [System Architecture] click [Target01].

  2. In the Properties window, go to [Advanced] tab ➞ [Settings] tab and from [Preferences] select the [Always Allow Ethernet Transfer] check box.

Troubleshooting

When the Download Manager dialog box displays an error, see the following.

Error Cause Solution

[Unable to connect specified destination.
Check if the display unit is in project transfer standby.]

IPsec is not enabled on either or both the display unit and PC.

 Enable IPsec. Configuring IPsec on the PC

Configuring IPsec on the Display Unit

IPsec is not configured properly on either or both the display unit and Windows PC.
  • Confirm the IPsec settings in PC.
    Configuring IPsec on the PC
  • Confirm that the same preshared key is used on the display unit and PC.
The IKE and IPsec ports are blocked by a firewall or other program associated with antivirus applications.

Verify the IKE port (UDP 500) and IPsec ESP port (50) are open on all firewalls between the PC and display unit, including the firewall associated with antivirus applications.

 

Copyright (C) 2026 Schneider Electric Japan Holdings Ltd. All Rights Reserved. |BLUE 4.4 (Manual Version : 4.4.0.001)| User Guide